Η National Security Agency (NSA) warns that state hackers of Russia exploit a newly corrected vulnerability in VMware products for theft sensitive information (after first developing web shells on vulnerable servers).
"NSA encourages network administrators of the National Security System (NSS), Department of Defense (DoD) and other similar services to prioritize vulnerability mitigation on servers", Said the intelligence service of the Ministry of Defense USA.
The NSA did not provide information on victims attacks that exploit vulnerability.
"Any organization using vulnerable Vmware products should take immediate action to implement the patch released by the vendor", Said the NSA.
Security updates available
VMware released security updates on December 3rd to correct the vulnerability. The error was made public about two weeks before the updates.
Vulnerability to VMware products (CVE-2020-4006) was initially described as "critical", but the company software reduced its severity to "significant" after the release of an update, where it said that you need a "valid configurator admin account password" to operate, which the criminal should know in advance.
VMware products affected by this zero-day vulnerability are:
- VMware Workspace One Access 20.01, 20.10 (Linux)
- VMware Identity Manager (vIDM) 3.3.1 to 3.3.3 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
- VMware Cloud Foundation 6 4.x
- VMware vRealize Suite Lifecycle Manager 7 8.x
Administrators who cannot directly develop the update can use it a temporary solution to prevent attacks exploiting vulnerability CVE-2020-4006. Information about this solution in Windows and Linux you can find here..
"This fix should only be a temporary fix until the system is fully updated", Said the NSA.
Exploitation allows web shell development and data theft
In attacks detected by the NSA, it observed that criminals were connected to the web-based management interface of devices running vulnerable VMware products and gained access to networks of organizations to install web shells via command injection.
After developing web shells, the attackers steal sensitively data using SAML credentials to access Microsoft Active Directory Federation Services (ADFS) servers.
The detection of these attacks it is not easy. Malicious activity occurs after connecting to the web management interface via TLS encrypted tunnels.
However, 'exit' statements followed by three digits such as "exit 123" located on /opt/vmware/horizon/workspace/logs/configurator.log on servers are an indication of an attempt to exploit a device.
"There may also be other commands along with coded scripts. If this is found, an investigation should be conductedThe NSA added. "Additional server analysis is recommended, especially for web shells malware".
Reduce the risk of successful attacks
As we said above, in order to exploit the vulnerability, the attacker must know the password access. Therefore, the use of a strong and unique password is essential.
In addition, restricting access to the web-based management interface for vulnerable VMware products further reduces the risk of a successful attack.
According to the NSA, with the slightest suspicion violation, signs of exploitation should be investigated. It must also be applied multi-factor authentication.
The NSA did not name the Russian APT team that exploits it vulnerability Vmware. In recent months, however, there has been a group systematically targeting the networks of government agencies in the USA.
Source: Bleeping Computer